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Abstract —We study the following private data transfer prob¬ 
lem: Alice has a database of files. Bob and Cathy want to access 
a file each from this database (which may or may not be the 
same file), but each of them wants to ensure that their choices 
of file do not get revealed even if Alice colludes with the other 
user. Alice, on the other hand, wants to make sure that each 
of Bob and Cathy does not learn any more information from 
the database than the files they demand (the identities of which 
will be unknown to her). Moreover, they should not learn any 
information about the other files even if they collude. 

It turns out that it is impossible to accomplish this if Alice, 
Bob, and Cathy have access only to private randomness and 
noiseless communication links. We consider this problem when a 
binary erasure broadcast channel with independent erasures is 
available from Alice to Bob and Cathy in addition to a noiseless 
public discussion channel. We study the file-length-per-broadcast- 
channel-use rate in the honest-but-curious model. We focus on 
the case when the database consists of two files, and obtain the 
optimal rate. We then extend to the case of larger databases, and 
give upper and lower bounds on the optimal rate. 

I. Introduction 

We consider the following problem: Alice has a database 
of files (e.g., she runs a video-on-demand service). Bob and 
Cathy are her customers who want to access a file each from 
this database, but they want to ensure that their choices of 
file are not revealed, even if Alice colludes with the other 
customer. Alice, on the other hand, wants to make sure that 
each of her customers does not learn any more information 
from the database than the files they have demanded (the iden¬ 
tities of which will be unknown to her), and if the customers 
collude they do not learn any more than the collection of files 
they asked for. We will require that the privacy guarantees 
are unconditional (i.e., information theoretic). We call this the 
private data transfer problem. 

This problem is an instance of secure multiparty compu¬ 
tation (SMPC) in, where several mutually distrusting users 
wish to communicate with each other over a network in order 
to compute functions of their distributed, private inputs. At 
the end of such a computation, no user learns any more 
information about any private data than what is revealed by 
its own input and output. 

It is known that for unconditionally secure computation of 
general functions, private randomness and noiseless commu¬ 
nication are insufficient Q. This holds even when the users 
are honest-but-curious, i.e., they follow the protocol faithfully, 
but will infer forbidden information from the random variables 
they accumulate over the protocol’s execution. Indeed, it can 
be shown that private data transfer described above cannot be 


achieved if Alice, Bob, and Cathy only have private random¬ 
ness and noiseless communication (pairwise and/or public). 
Additional noisy resources, in particular a noisy channel, have 
been proposed 0 as a resource to enable secure computation 
in such settings. In this paper we will consider a (noisy) 
broadcast channel from Alice to Bob and Cathy as a resource 
for achieving private data transfer. 

We study private data transfer over binary erasure broadcast 
channels for databases of size two. There are several problems 
which are very closely related to our problem. 

(i) Oblivious transfer (OT) is a family of two-party secure 
computation primitives, a specific version (namely l-of-2 
string OT), is as follows: Alice and Bob are two-parties 
with Alice having 2 equal length strings of which Bob 
wants exactly one string without Alice finding out the 
identity of the string Bob wants. Alice wants to ensure 
that Bob receives information about only one of the two 
strings. The connection to our problem will be explored 
in greater length below. 

(ii) Private information retrieval (PIR): Our problem can 
be viewed as a version of the PIR problem 0, M 
with symmetric privacy requirements. In the PIR problem 
(with asymmetric privacy requirement), a user wants to 
retrieve an element from a database held by one or more 
servers such that each server does not learn the identity 
of the database element retrieved. The symmetric version, 
where the servers also want to ensure that the user does 
not learn anything more than the element retrieved, has 
also been studied. The key difference with our work 
is that previous works have considered only noiseless 
communication. Under this, it is impossible to achieve 
PIR with a single server (as in our problem setting) 
with an information theoretic guarantee even for the 
asymmetric privacy requirement. The standard approach 
is to consider multiple servers (who all do not collude). 
Here, we consider a single-server PIR problem with 
symmetric privacy requirements in the honest-but-curious 
setting, but allow the use of a (noisy) broadcast channel. 

To achieve OT, it is known that a noisy resource such as a 
noisy channel between Alice and Bob is necessary, even when 
Alice and Bob are honest but curious. For the l-of-2 string 
OT described above, OT capacity of a discrete memoryless 
channel (DMC) is the largest string length (in bits) that Bob 
can obtain per use of the DMC. For honest-but-curious users, 
Nascimento and Winter Eol obtained a lower bound on the 
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string OT capacity of DMCs and source distributions. 

Ahlswede and Csiszar obtained lower bounds on the 
string OT capacity of generalized erasure channels when users 
are honest-but-curious. For erasure probability at least these 
lower bounds are tight. Pinto et. al. im showed that, for 
erasure probability at least i, the capacity of this model 
remains unchanged even when the parties are malicious, that 
is, even when the parties may arbitrarily deviate from the 
protocol. 

This 2 party string OT setup was generalized to the case of 
a wiretapped channel and the honest-but-curious OT capacity 
of the case of binary erasure broadcast channels was character¬ 
ized both for 2-privacy (where the eavesdropper might collude 
with either user) and 1-privacy (no collusion allowed) in IS). 
A further generalization is when Alice-Bob and Alice-Cathy 
want to perform independent OTs using a (noisy) broadcast 
channel from Alice to Bob and Cathy, i.e., Alice has two pairs 
of strings. Bob is necessarily interested in a file from the first 
pair and Cathy from the second pair. Mishra el al |9l studied 
the optimal trade-off between the rates of the first pair and 
the second pair for a binary erasure broadcast channel and 
obtained inner and outer bounds for the 2-privacy rate-region 
in the honest-but-curious setting. 

Our data transfer problem can be seen as a variant of the 
setup of |9l, where Alice now has a collection of N strings. 
Bob and Cathy each want to independently pick up one of the 
strings. A straight forward approach for = 2 is to invoke 
the achievable scheme of 0 for the symmetric rate point by 
setting both pairs as the same. However, this turns out to be 
sub-optimal, in general. We propose a scheme and prove its 
optimality. For the general N case we give upper and lower 
bounds for the optimal rate. 

Section ttn defines the problem for the case of a database 
with two files and gives our main result which completely 
resolves this problem. In section |III] we describe the protocol 
which is used to prove the achievability part of our main result. 
Appendix |B] has the proof of the converse part of our main 
result. The result is extended to the case of a database with 
more than two files in Section |IV] where we give upper and 
lower bounds on the optimal rate. 

II. Problem Statement and Main Result for a 
Database with Two Files 
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Fig. 1: Setup for private data transfer over a broadcast 
channel 
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Fig. 2; Setup for private data transfer over broadcast channel 
consisting of independent binary erasure channels 


equal sized files (bit-strings) Kq,Ki which are m-bit long 
each. Bob and Cathy have choice bits U and W respec¬ 
tively. Kq,Ki, U, W are independent and uniform over their 
respective alphabets. By U we will denote U = [/©!, the 
complement of U. 

The goal is for Bob to obtain Kjj and Cathy to obtain Kw 
without any additional information about the database and the 
choice variables being revealed to any single user or pairs of 
users, e.g., Alice on her own should not learn anything about 
U, W ; Alice and Bob working together should not learn any 
information about VF; Bob on his own should not have any 
information about W, Kjj-', Bob and Cathy working together 
should not learn anything about K-jj in case U = W', and so 
on. We assume that the users are honest-but-curious. 

In the setup in Figure [T] Alice can communicate to Bob 
and Cathy over a memoryless broadcast channel Py,z\x- In 
addition, there is a public channel which is noiseless and has 
unlimited capacity. Alice, Bob and Cathy can send messages 
over this public channel and each such message will be 
received by all users. 

Definition 1: Let n,m C N. An (n,m)-protocol is an 
exchange of messages between Alice, Bob, and Cathy over 
the setup of Figure [T] Here m is the length of each bit 
string in Alice’s private database and n is the number of 
uses of the broadcast channel she makes. Before each channel 
transmission and also after the last channel transmission, 
Alice, Bob and Cathy can exchange an arbitrary but finite (with 
probability 1) number of messages over the public channel, 
taking turns to send each such message. The messages ex¬ 
changed over the public channel and the channel transmissions 
are allowed to be randomized, but the parties may only use 
private randomness to accomplish this. The rate R of an 
(n, to)- protocol is defined to be R := m/n. 

We denote by F the transcript of the public channel at the end 
of an {n, TO)-protocol. 

Definition 2: The final view of a user is the set of random 
variables that the user observes or generates over the duration 
of the (n, TO)-protocol. The final views of Alice, Bob and 
Cathy are, respectively. 


For simplicity we first consider the case of a database 
with two files. Alice’s private database is made up of two 


F4 := (Ko,KyX^,F), 
Vb := (C/,y”,F), and 
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:= {W,Z^,F). 


(3) 

Definition 3: A rate R is an achievable 2-private data 
transfer rate if there exists a sequence of (n, m)-protocols 
with rate R such that as n —oo, we have 

P[ku ^ Ku or kw ^Kw]^0 (4) 

I{Kjj-,VB,Vc\U = W)^0 ( 5 ) 

I{U-,Va,Vc) ^0 (6) 

I{W;Va,Vb) ^0 (7) 

I{U,W;Va) ^ 0 (8) 

I{W,Kjj;VB)^0 ( 9 ) 

IiU,K^;Vc)^0. ( 10 ) 

Definition 4: The 2-private data transfer capacity C 2 P for 
the setup of Figure [T] is the supremum of all achievable 2- 
private data transfer rates. 

In this paper, we study the specific instance of independent 
binary erasure broadcast channel (shown in Figure |2]i, where 
Pyz\x = Py\x ■ Pz\x and where py\x is a binary erasure 
channel BEC(ei) with erasure probability ei, and pz\x is a 
BEC(e 2 ). 

Our main result is a characterization of the 2-private data 
transfer capacity of the independent erasure broadcast channel. 

Theorem 1: 

C 2 P = min (€ 2(1 - ei), ei(l - £ 2 ), £ 162 ) • 

We prove this theorem in the next section by giving a protocol 
which can achieve rates arbitrarily close to capacity and 
proving a converse. 

III. Proof of Theorem[T] 

In this section, we first describe a protocol which will 
be used to achieve 2 -private data transfer capacity of the 
setup of Eigure |2] We note that the protocol described for 
the setup in 0 , though useful for the private data transfer 
problem here, does not (in general) achieve the 2 -private 
data transfer capacity of the setup of Eigure |2] (eg. consider 
£1 < 5 j £2 G (ijf))- Before giving a formal description of 
our protocol, we will outline its main ideas. 

Alice begins by transmitting a sequence of indepen¬ 
dent, uniformly distributed bits, indexed by 1 , 2 ,..., n, over 
the broadcast channel. Bob and Cathy receive independently 
erased versions F” and Z", respectively, of the transmitted 
bits. 

Let us consider the case ei,e 2 < 1/2. Bob has about nei 
erased bits in F", and he takes the indices of these bits as 
the bad set B. Out of the indices of unerased bits in F", Bob 
randomly picks a subset of indices, of the same cardinality 
as B, and calls it the good set G. If U — 0, Bob assigns 
(Lq,Li) = (G,B), otherwise Bob assigns {Lq,Li) = (B,G). 
Bob sends (Lq,Li) over the public channel. Notice that even 
if Alice and Cathy get together, they will not learn U from 
(Lq,Li) that Bob sent over the public channel. This follows 


from the independence of the erasure channels to Bob and 
Cathy and the memoryless nature of erasures. 

Cathy confines her attention to Z"|j;,(,uLi, the restriction of 
Z" to the indices in LqULi. In a manner similar to Bob, out of 
Z^IlqULi, Cathy forms her own good and bad sets of indices 
G, B respectively, each of size about 2neie2. If IF = 0, Cathy 
assigns (Lq,Li) = {G,B), otherwise Cathy assigns (Lq, Li) 
= (13, G). Cathy sends (Lq, Li) over the public channel. 

Alice forms two data transfer (DT) keys Too and Tn as 
(also see Eigure [3ll; 


Too=X^\ 

Tn=X^\ 


LoHLo 

LiDLi 


(lla) 

(llb) 



for for 

Bob Bob 


Lq 

Li 


Eig. 3: Illustration of the sets used in the protocol when 

U = W = 0 and ei, £2 < ^ 


Alice then sends the following encrypted strings over the 
public channel ; 

Mo = Kq 0 Too j 
Ml = ATi ©Til. 

Bob knows Tujj. Hence, using Mu, Bob can recover Kp- 
Also, Cathy knows Tww- Hence, using Mw, Cathy can 
recover Kw- Bob, however, does not know anything about 
Tjjjj, and since Kjj is encrypted with Tjjjj, he does not learn 
anything about K-jj. Similarly, Cathy does not learn anything 
about K-^. If U = W, then even if Bob and Cathy get 
together, they cannot learn anything about K-jj since Tjjjj is 
erased for both of them. 

When £i ,£2 > the size of Lo,Li is about n(l — £ 1 ) 
each, and the size of Lq, Li is about 2n(l — £2)(1 — £ 1 ) each. 
Bob and Cathy have additional erased indices that they did 
not use for sets B and B respectively. Bob forms the set G 
(of size n(2ei — 1)) and Cathy forms the set G (of size about 
2n(l — £i)( 2£2 — 1)) out of these unused erased indices (see 
Eigure|4|i and declare them over the public channel. Thereafter, 











creates the sets Lq,Li as follows. 



for for 

Bob Bob 

Fig. 4; Illustration of the sets used in the protocol when 

U = W — 0 and ei, e 2 > ^ 

Alice-Bob get an additional rate using a two-party oblivious 
transfer (OT) protocol ^ over Notice that a two-party 

protocol is appropriate since bits in C are guaranteed to be 
erased for Cathy. Similarly, Alice-Cathy get additional rate 
using a two-party OT protocol over X"|c. Thus, for ei, £2 > 
i, the protocol will rate-split the string Kq as {Ko,Kq) (and 
similarly for Ki) of appropriate lengths to perform the data 
transfer in two parts. However, for all other regimes of ei, £ 2 , 
ko = Ko and Ki = Ki. 

We now give a step-wise description of the protocol. See 
Appendix |E] for more details on the set sizes and rate calcu¬ 
lations mentioned in this protocol. 

Protocol 1: Let <5 > 0. Let = minjci, 1 — £ 1 } — <5 and 
r2 = min{£2 ,1 - £2} - 5 - 


{7 = 0: Lq = G, Li = B 

{7 = 1: Lo = B, Li = G 

Bob sends Lq,Li,G over the public channel. 

Cathy Over the subset ^"IlqULi^ Cathy defines her set of 
erased and unerased indices as 

E' := {i € Lq U Li : Zi = erasure} 

E := {i € Lq U Li : Zi ^ erasure} 

If \E'\ < 2nri(£2 — S) or \e'\ < 2nri{l — £2 — <5), 
then Cathy declares error. 

Otherwise Cathy randomly picks the following sets: 
G ~ Unif |a C e' : \A\ = 2nrir2| 

B ~ Unif{A C E' : |A| = 2nrir2} 

If ei,£2 > - 

C ~ Unif |a C {E'\B) : |A| = 2nri(2£2 
else 

(7 = 0 . 

Now, depending on the value of W, Cathy further 
creates the sets Lq, Li as follows: 

W = 0: Lo = G, Li=B 

W = 1: Lo = B, ii = G 

Cathy sends Lq, Li, (7 over the public channel. 

Alice forms the data transfer keys TqqjTu as in (HB, and 
sends the following strings over the public channel. 

Mq = iTg © Too, 

Ml = ATi ©Til. 


Alice 

Bob 


Transmits a sequence of independent, uniformly 
distributed bits over the broadcast channel. 

Receives from BEC(£i). Bob’s set of erased and 
unerased indices are 

E := {i G {1,2,... ,n} : Yi = erasure}, 

E := {i € {1,2,... ,n} : Yi ^ erasure}. 

If \E\ < n(£i — S) or \E\ < n{l — £1 — 5), Bob 
declares error. Otherwise Bob randomly picks the 
following sets: 


G' 
B ■ 

1 


• Unif {A G E ■. \A\ = nri } , 
' Unif {A Q E ■. \A\ = nri} . 


Bob knows Tjju and, thus, can recover Kjj. 

Cathy knows Tww and, thus, can recover kw- 
Bob For £i ,£2 > 5 , Bob selects a set 5 C (7 as follows: 
if £1 < £ 2 , Bob sets S as the first bits of 

G, otherwise Bob sets S = C. See Appendix lE-BI 
for more details. 

Alice and Bob then follow the 2-party OT protocol 
m using X‘^\g, with the inputs {Kq, Ki, U). 

CathyEor £i ,£2 > Cathy selects a set S' C (7 as 


follows: If £2 < 

2nri(2e2-l)(}-5) 


£ 1 , Cathy sets S as the first 


bits of G, otherwise Cathy sets 


If £ 1,62 > 2 


S = G. See Appendix lE-BI for more details. 

Alice and Cathy then follow the 2-party OT protocol 
1^ using X'^ls, with the inputs (ko, ki,W). 

G ~ Unif {A C [E\B) : |A| = n{2ei — l)}using this protocol we obtain the following achievability 
else result. 

C = % Lemma 1: Eor the setup of Eigure |2] if i? < 

min (£2(1 — £1), £1(1 — £2), £ i £2), then R is an achievable 
Now, depending on the value of U, Bob further 2-private data transfer rate. 















The proof of this lemma is deferred to Appendix lAl The main 
ideas used in the proof are the following: 

• First, by Chernoff bound, the probability that the algo¬ 
rithm will abort due to the size conditions not being met 
is exponentially small. 

• Bob knows Tuu- Thus, from Ku®Tuu Bob can recover 
Kjj- 

> Cathy knows Tww- Thus, from Kw © Tww, Cathy can 
recover Kw- 

• When U = W, colluding Bob and Cathy know nothing 
about Tjjjj since it is erased for both of them. Since 
Alice’s transmissions always encrypt Kjj with Tjjjj, 
colluding Bob and Cathy learn nothing about Kjj. 

> Alice never learns either U or W. Note that Alice can 
learn U or W only from the sets of indices she receives 
from Bob and Cathy. In the setup, the channels act 
independently of each other and independently on each 
input bit. Further, the protocol ensures |Lo| = \Li\ and 
1 ^ 0 1 = 1 -^ 1 1- Thus, Alice has no means of learning about 
which sets of indices it receives correspond to erasures. 
Also, since Alice learns nothing about U, we can show 
that colluding Alice and Cathy cannot learn anything 
about U either. Similarly, since Alice learns nothing about 
W, colluding Alice and Bob cannot learn anything about 
W. 

Converse of Theorem Q] 


Theorem 2: 

^LB < C2P < f?UB- 

We note that the upper and lower bounds in Theorem |2] are 
not very close, especially for large N. For instance, for erasure 
probabilities less that 1 — there is a factor of (A^ — 1 ) gap. 

V. Future Work 

Besides finding tighter bounds for the general N case, 
there are several natural directions of enquiry: (i) the case 
of more than two users, (ii) asymmetric case where privacy 
is desired only on the choices, (iii) other channel models, (iv) 
the malicious model where the dishonest users may deviate 
from the protocol arbitrarily. 
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The converse of Theorem[T]is proved in Appendix iBl where 
we show the following general upper bound on C 2 P in the 
setup of Figure [T] 

[1] 

C 2 P < 

min ( max/(X; y|Z), max/(Ar; Z\Y)^ maxiT(vA|Y, Z) 

\ px px px 

Evaluated for the setup of Eigure |2l this gives the required [ 3 ] 
upper bound. 



IV. Databases with N > 2 files W 


The problem definition in Section|II]can be readily extended 
to a database with N files; see Appendix O Generalizing the 151 
protocol and the converse (see Appendix |D]i from the last 
section we can obtain the following upper and lower bounds [g] 
on the 2-private data transfer capacity. Let 

i?uB = min 


£ 2(1 - ei), ei(l - £ 2 ), 


ei£2 
N -1 


[7] 

[8] 


and 

ei €2 

iV-1 ’ AT-l’ 

(1 ~ Cl) • (1 ~ £ 2 ) + Rex 

where 


£i' 

,€2 

VI 



[9] 

£i 

< 



N-1 



£o 

N > ^2 


N 

[10] 

£l 


Alii 

< 

N-1 



N ’ ^2 


N 


£l: 

) ^2 

^ N ■ 

) 


[11] 



i?ex = min((l - e 2 )(l - N{1 - ei)), (1 - ei)(l - N{1 - £ 2 ))). [ 12 ] 
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Appendix A 
Proof of Lemma[T] 

In this proof, we use a sequence of Protocol [T] and 

show that (HJl - ( [Tol l hold for {T^nlngN- We consider the case 
when either ei < f or e 2 < The case where both ei, £2 > 5 
involves an additional phase (as described in Sectionllllll where 
the well-understood 2-party OT protocol of m is invoked. 

For ease of exposition, this case is not being considered here. 
Hence, for the proof presented here, Kq = Kq and Ki — Ki. 

For the protocol Vn, we get r„ = rir 2 — C 2 P, since 
(5 > 0 can be chosen arbitrarily small for sufficiently large n. 

Let J denote the event that either Bob or Cathy declares an 
error during the protocol. Then, by Chernoff bound, P[J = 

1 ] —> 1 as n —> 00 . 

1) To show that (|4| is satished for we note that 

P[Ku 7 ^ Ku or Kw ^ Kw] 

= P[J = 0]P[Ku ^ Ku or kw 7 ^ Kw\J = 0] 

-I- P[J = l]P[ku 7 ^ Ku or kw 7 ^ Kw\J = 1] 

Since Pr[J = 0] 0 exponentially fast, it is sufficient 

to show that P[ku 7 ^ Ku or kw 7 ^ Kw\J = 1] —0 
as n —> 00 . 

Now, when J = 1, Bob knows Tuu thus, recovers 
ku- Similarly, Cathy knows Tww ^nd, thus, recovers 
kw- As a result, P\ku 7 ^ Ku or kw 7 ^ Kw\J = 1] = 

0 . 

For the remaining part of this proof, we define the following 
quantities for ease of notation; 

G = {G,B,G,B), 

L = (To, Ti, To, Ti) 

M= (Mo,Mi) 

F = (L,M) 

2) To show that Q is satished for we note that 

I{K^;Vb,Vc\U = W) 

<I{Kj^;Vb,Vc,J\U = W) 

= = j] kKu; Vb,Vc\J = j,U = IF) 

i=o,i 

+ I{Kjj-,J\U = W)- 

Since Pr[J = 0] —0 exponentially fast and 

/(iTp-; J|(7 = W) = 0, it is sufficient to show that 
I{Kjj-Vb,Vc\U = W,J = 1)) —^ 0 as n —7 cx). 
Now, 

I{Kjj-Vb.Vc\U = W,J = 1) 

= H{Kjj\U = IF, J = 1) - H{Kjj\VB, Vc,U = W,J = 1) 
= H(Kjj) - H{K^\Vb,Vc, U = W,J=1) 

= H{Kjj) - Hikjj\VB,Vc, U = W,J=1) 


= H{Ktj) - H{Kjj\U, W, F", F", F,U = W,J=1) 

= H(Kjj) - H{k-^\U, W, F", F", L,M,U = W,J = 1) 
Now, 

H(k^lU, w, F", Z", L, M, [/ = IF, J = 1) 

= K(k-^IU, W, F”, Z", G, M, [/ = IF, J = 1) 

= K(kj^lU, W, F”, F", G, M,Tuu,U = IF, J = 1) 

[Tuu is a function of (G,F",F”)] 

= Hikjj\U, M, Tuu, U = W,J = 1) 

[ since kjj - ([/, M,Tuu,U = W,J =1)- (IF, F", F'*, G) 
is a markov chain] 

= HikjjlU, ku, kjj © Tjjjj, Tuu, U = W,J=l) 

= H{kjj\kjj(BTjj^) 

= H{kjj) 

So we get 

Vb, Vc\U = if, j = 1) = H{Kjj) - H{kjj) 

= 0 

3) To show that (|6]) is satished for {P„}neN, as before, it 
will suffice to show that /((7; Va, Fc| J = 1) —7 0. 

I(U-,Va,VcIJ = 1) 

= I(U;Ko,Ki,W,X^,Z^,FlJ=l) 

= I(U; Ko, iTi, IF, X", F", L, M| J = 1) 

= J(C/;iTo,fTi,lF,X",F",L|J = l) 

[ M is a function of (Kq, Ki, AT", L) ] 

= I{U-X^,Z^,t\J = 1) 

[U - (X", F", L, J = 1) - (Ko, iTi, IF)] 

= J((7;X’^,Lo,Ti|J = 1) 

[U - (X", To, Ti, J = 1) - (Z'*, To, Li)] 

= I{U-,Lo,Li\J=l) 

[C/-(Lo,Li,J= 1)-X"] 

= iF(Lo,Ti|J=l)-Tf(To,Ti|[/, J= 1) 

= H{Lo,Li\J = 1) - H{G,B\U,J= 1) 

= H{Lo, Li\J = 1) - H{G, B\J = 1) 

= 0 

[ since (Lo,Ti), {G,B) have same distribution, 
conditioned on J = 1 ] 

4) The proof for showing that dTji is satished for {P„}„gN 
is similar to showing that (|6ll is satished for {P„}„gN- 

5) To show that (l8]l is satished for {PnjnGN, it will suffice 
to show that I(U, W;Va\J = 1) —7 0. 

I{U,W;Va\J=1) 


= /(i7,W^;ifo,ifi,X",F|J= 1) 

= /(i7,VF;ifo,ifi,X",L,M|J = 1) 

= I{U,W-KQ,Ki,X^,t\J = l) 

[ M is a function of (Jfoj ^i,L) ] 

= I{U,W\t\J = 1) 

= I{U- Lo, LiIJ = 1) + I{W-, Lo, Li| J = 1) 

= H{Lo,Li\J=l)-H{G,B\J = l) 

+ H{Lo,Li\J=1)-H{G,B\J=1) 

= 0 

[ since {Lo,Li), (G,B) have same distribution 
and (Lo,Li), iG,B) have same distribution 
conditioned on J = 1 ] 

6 ) To show that @ is satisfied for {P„}rtgN, it will suffice 
to show that I{W, Kjj-; Vb\J = 1) —0. 

IiW,Kjj;VB\J = l) 

= IiW,Kjj-,VB,Tuu\J = 1) 

[ since Tjjij is a function of Vb ] 

= I{W,Kjj-VB,Ku,Tuu\J =1) 

[ since Ku is a function of (Vb,Tuu) ] 

= I{W, Kjr; U, y", L, M, Ku, Tuu\J = 1) 

= I{W, Kjj- U, y", L, Ku, Tuu, Kjj © J = 1) 

= I{W, Kjj- U,h,Kjj(BTjjjj\J=l) 

[ {W, Kjj) — (Lq, Li, Kjj © Tjjjj, J = 1) 

-iU,Y^,LQ,LuKu,Tuu) ] 

= I{W ■,Lq,Li\J = 1) + I {Kjj-, Kjj®Tjjjj\J = 1) 

= 0 

7) The proof for showing that (fTOl) is satisfied for {PnlnGW 
is similar to showing that (|9]l is satisfied for {Pri}nGN- 

Appendix B 

Converse of Theorem[I] 

The proof of converse is along the lines of the converse 
arguments in HI Lemma 5] (although it does not follow from 
there). We first argue that following is a general upper bound 
on C 2 P- 

C 2 P < 

min ( max/(X; y|Z), max/(Ar; y|y), maxiT(X|y, Z)] . 
\ px px px J 

To see that G 2 P < maxp^/(AT; yjZ), suppose we run a 
2-private data transfer protocol with U — 0 and W = 1 
(both deterministic). Now Kq is a secret key between Al¬ 
ice and Bob which is secret from Cathy. The bound fol¬ 
lows from the fact III that the secret key capacity of the 
broadcast channel Pyz\x with public discussion is upper 


bounded by maxp^ I{X-,Y\Z). Reversing the roles of Bob 
and Cathy gives the second term. To prove that C 2 P < 
maxp;^ H{X\Y, Z), consider running the data transfer proto¬ 
col with U = W, a uniform bit. We may view this as a protocol 
for two-party OT between Alice and the combination of Bob- 
Cathy over the channel przjx whose output is (y, Z). The 
bound follows from the two-party OT capacity upper bound ||2l 
of maxp^ H{X\Y, Z). It is easy to evaluate these bound for 
our binary erasure broadcast channel to obtain the converse: 
maxpx I{X-,Y\Z) < e2(l —ei), maxp^ I{X-,Z\Y) < ei(l — 

£2), maxp^ i7(Ai|y, Z) < eie2. 

Appendix C 

Problem Definition for Databases with N > 2 Files 

The main difference is that Alice’s private database is now 
made up of N strings Kq, Ki,..., K^-i which are m-bit 
each. Let K = {Kq,Ki, ... ,Km-i)- Bob and Cathy have 
choice variables U and W respectively which take values in 
{0,l,...,iV — 1}. K, C/, ly are independent and uniform over 
their respective alphabets. 

Alice’s view is now 

La- (K,X-,F), 

Bob and Cathy’s views are given by (El-®. The privacy 
conditions Q and (l9Tl- (fT0l i are replaced by 

I{K\Ku-,Vb,Vc\U = W) 

I{W,K\Ku-,Vb) ^ Q 
I{U,K\Kw-,Vc)^Q, 

where by S\T we mean the ordered set S from which 
corresponding elements in T have been removed. In addition, 
we also have a condition to handle the case where U ^ W. 

I{K\{Ku, Kw);Vb, Vc\U ^ IF) ^ 0. 

Appendix D 
Proof of Theorem® 

To prove the lower bound, we directly extend protocol® to 
the case where Alice has N strings as follows: 

• Bob now forms N sets Lq,Li, ... ,Lm-i, each of size 

about nmin 1 — £1^ The set Lu consists of 

unerased indices of F" and all other sets consist of erased 
indices of F”. 

■ Cathy confines her attention to Z"|louLiu...uL]v-i 
forms her own sets Lq, Li, ... , Lm-i, each of size 
about A'nmin 1 — £1^ min 1 — £2^. 

Only set consists of unerased indices of 

■^"|loULiU...uL]v-i’ the other sets contain erased 
indices of Z”|louLiU...uLn-i- 

• Alice forms the data transfer keys Tjj = X‘^\j^ nZ ’ 7 ~ 
0,1,..., (iV - 1) 

• Alice sends the encrypted strings Mj = Kj © Tjj , j = 
0,1,..., {N-1). 

> Similar to the last two steps of protocol of Section [Bll 
both Bob and Cathy get extra data transfer rates, using 


the 2-party OT protocol 12, when > 1 — ei and 
> 1 — € 2 - Alice and Bob use X'^\g (which is 
completely erased for Cathy) while Alice and Cathy use 
X'^lc (which is completely erased for Bob) to obtain this 
extra data transfer rate i?ex- See Appendix |E] for details 
of all rate calculations. 

With this modified protocol, achievability of i?LB follows 
along the lines of the proof of Lemma [T| 

The upper bound also immediately follows from the same 
line of arguments used to establish the converse of Theorem [T] 
and a direct extension of the converse of 12 to 1 -out-of-W 
string OT 


and Cathy use X'^\c for getting this extra rate, using the two- 
party OT protocol of 12 - 

The extra rate Bob can get is \C\ ■ — 5) while the extra 

rate Cathy can get is |C'|r 2 = |C|(1 — e 2 — 5). However, since 
Bob and Cathy can obtain only symmetric rate (see Section HJ 
and Appendix O, the extra rate both Bob and Cathy get is : 

i?ex = min ||C| • - 5), |C|(1 - 62 - (5)| 


Appendix E 

Computing set sizes and data transeer rate 

EXPRESSIONS 

In this section, we will show how the sizes of the different 
sets that Alice, Bob and Cathy create during the protocol have 
been calculated. The sizes are given for arbitrary N (number 
of files). We then derive the expression for the data transfer 
rate that Bob and Cathy are guaranteed to get in any regime 
of 61 , 62 . We finally derive the expression for the extra data 
transfer rate that Bob and Cathy will get when N-l ^ ^ 
and >1-62. 


A. Set Sizes 

For ease of notation, let ri = ^min | , 1 — 6 i | — (5^ 

and 


r2 = (min|;j^,l -62I -()). 


\E\ = n(6i - S) 

\E\ = n(l - 61 - ( 5 ) 

\Lj \ = min|;|^, |E;|| = nri, j = 0,1,..., W - 1 
r \E\-{N-l)\El ^,>\E\ 

I < 1^1 

\^'\ — (l^ol + l-^il + • ■ • + ILat-iI) • (62 — i 5 ) 

I = (l^ol + |Ai| -f ■. ■ -f ILat-iI) • (1 — 62 — 5 ) 

\Lj\ = min|J^, |£;'|| = Nnrir2,j = 0,1,....A^-1 
( \E'\-iN-l)\E'\, ^>\e'\ 

0, < l^'l 


|( 7 | = 


B. Deriving Data Transfer Rate expressions 

The data transfer rate that Bob and Cathy are guaranteed to 
get in all regimes of 61,62 is: 


n 

\-^33\ 

1 

/ 1 A 

n 


1 

( ^Nnrir2 

n 

\N 

= T 1 T 2 


Bob and Cathy get extra data transfer rates when > 
1 ~ Cl, > 1 — 62 . Alice and Bob use X’^\^ while Alice 



